Andrew Rose's Blog

As individuals get better access to the technology that enables their participation in the information age, so privacy has to be considered and regulation applied to raise standards to those that are acceptable across that society. It was interesting, therefore, to note the cultural recoil that occurred in response to the NSA’s recently discovered, and rather widespread, caller record collection (not to mention other 'PRISM' related data!) - it’s clear that this has crossed a boundary of acceptability.

This isn’t however, just a US problem. A news story recently broke in India highlighting that local law enforcement agencies had, over the past six months, compelled mobile phone companies to hand over call detail records for almost 100,000 subscribers. The requisitions originated from different sources and levels within the police force and their targets included many senior police officers and bureaucrats.

Unlike the NSA scrutiny, which although potentially unreasonable, at least appears legal, the vast majority of these data requests did not have the required formal documentation to uphold or justify the demand, yet they were fulfilled. This revelation was revealed by Gujarat’s State Director General of Police, Amitabh Pathak, and came hot on the tail of a similar story originating from New Dehli where the mobile phone records of a senior political leader, Arun Jaitley, were also acquired by a very junior law enforcement officer.

Director General Pathak enforced changes to try and address such widespread abuse of the system, but comments suggest that such behaviour may be difficult to eradicate. When one considers the potential benefit to law enforcement from unrestricted data collection, it's easy to understand why – but the balance of privacy and observation has to be defined or we fall into an Orwellian state.

India actually have legislation and regulation governing privacy issues however it’s clear that long lead times for prosecution (often five to ten years) and small fines (up to $10,000) mean that they are not getting the traction they need.

Privacy is a topic that is gaining increasing attention in the Asia Pacific region - countries are revising and reviewing their controls to cope with the new technology, the new economic opportunities and the challenges from cybercrime. It will be interesting to see how these laws evolve and whether they follow the same patterns as US law, or align with the more privacy-focussed EU directives.

Irrespective of the behaviour of the NSA or the Indian police, we Security professionals must guide our organizations to be as compliant as possible with local law. If you have offices based in the Asia Pacific region, make sure you know the local privacy requirements with the Forrester report entitled “What You Must Know About Data Privacy Regulations In Asia Pacific”